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ABSTRACT 

Numerous lessons have been documented from the Space Shuttle Propulsion elements. Major 
events include loss of the Solid Rocket Boosters (SRB’s) on STS-4 and shutdown of a-Space Shuttle 
Main Engine (SSME) during ascent on STS-51F. On STS-112 only half the pyrotechnics fired during 
release of the vehicle from the launch pad, a testament for redundancy. STS-91 exhibited freezing of a 
main combustion chamber pressure measurement and on STS-93 nozzle tube ruptures necessitated a 
low liquid level oxygen cut off of the main engines. A number of on pad aborts were experienced during 
the early program resulting in delays. And the two accidents, STS-51L and STS-107, had unique 
heritage in history from early program decisions and vehicle configuration. Following STS-51L significant 
resources were invested in developing fundamental physical understanding of solid rocket motor 
environments and material system behavior. And following STS-107, the risk of ascent debris was better 
characterized and controlled. Situational awareness during all mission phases improved, and the 
management team instituted effective risk assessment practices. The last 22 flights of the Space Shuttle, 
following the Columbia accident, were characterized by remarkable improvement in safety and reliability. 
Numerous problems were solved in addition to reduction of the ascent debris hazard. The Shuttle 
system, though not as operable as envisioned in the 1970’s, successfully assembled the International 
Space Station (ISS). By the end of the program, the remarkable Space Shuttle Propulsion system 
achieved very high performance, was largely reusable, exhibited high reliability, and was a heavy lift earth 
to orbit propulsion system. During the program a number of project management and engineering 
processes were implemented and improved. Technical performance, schedule accountability, cost 
control, and risk management were effectively managed and implemented. Award fee contracting was 
implemented to provide performance incentives. The Certification of Flight Readiness and Mission 
Management processes became very effective. A key to the success of the propulsion element projects 
was related to relationships between the MSFC project office and support organizations with their 
counterpart contractor organizations. The teams worked diligently to understand and satisfy 
requirements and achieve mission success. 


INTRODUCTION 

The propulsion elements provided a remarkable, high performance, reusable rocket engine; 
evolved to provide highly reliable, large solid rocket motors; provided a fully integrated, recoverable and 
reusable booster system; and provided a structurally efficient propellant tank with truly significant debris 
risk reduction. Integration of the propulsion system enabled reliable earth to orbit performance with very 
small margins. We finished strong. The final 22 flights were not easy, but were a fulfilling contribution to 
human spaceflight, worthwhile work. STS-135 flown July of 201 1 was a superb “completion of mission”. 

In this paper the successes of the final 22 flights are discussed, followed by a discussion of the major 
events experienced by the propulsion elements during the program. This is followed by an assessment of 
issues worked during the last 22 flights, looking for recurring themes and lessons. Finally, observations 
concerning project management practices, and applicability of the propulsion elements to future launch 
systems are discussed. 

During the final flights the propulsion elements embraced a culture of continuous improvement. 
This was evident in all the elements. Some design changes were implemented in response to the 
Columbia Accident Investigation Board findings, and many were initiated prior to STS-107 and 
implemented in the flight program during this era. Each element is discussed below. 

SPACE SHUTTLE MAIN ENGINE 

The space shuttle main engine implemented a number of design and processing improvements, 
as well as a major safety upgrade, the advanced health management system. Additionally the engine 
solved a life issue related to seals in the high pressure oxidizer turbopump with a redesign, and 



implemented a number of improved insulation systems intended to eliminate liquid air formation during 
prelaunch. A redesigned fuel flow meter was implemented which eliminated a fluid dynamic phenomena 
which had occasionally resulted in a slight shift in measured flow rate on the prior design. Manufacturing 
improvements were also noted in reduced time for nozzle fabrication, significant for reducing 
manufacturing costs. Additional operational improvements included upgrades to software, updates to the 
spark ignition system, and improved durability and margins to fasteners at one of the oxygen system 
joints. These upgrades are shown pictorially, in Figure 1 below, along a timeline illustrating the final 
flights of the Space Shuttle. 
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Figure 1. Space shuttle main engine improvements 

EXTERNAL TANK 

The External Tank project provided significant debris reduction redesigns and processing 
improvements during the final era of Shuttle flights. Additionally the tank transitioned to use of friction stir 
welding while implementing major structural upgrades in the manufacturing process. For an expendable 
element, the tank implemented a very effective post flight assessment process. The debris reduction 
efforts were implemented in a process of continuous improvement during this era of flight. Existing tanks 
(already manufactured) were retrofitted with redesigns in areas identified as high risk for debris 
generation. Eventually, for STS-124, the redesigns were incorporated as the tanks were manufactured, 
and additional redesigns were implemented. Processing improvements included use of low spray guns 
for thermal protection system application reducing the occurrence of flaws in the final product, additional 
attention to human factors for manual processing, use of high fidelity mockups during manufacturing to 
assess quality, video review of critical spray processes, and use of non destructive evaluation of the 
finished product. Design improvements included redesign of the bipod fitting foam closeout to eliminate a 
debris source, addition of a bellows heater within the liquid oxygen feedline to preclude ice formation 
(another potential debris source), addition of a feedline camera to observe debris performance during 
ascent flight, elimination and redesign of thick foam applications including protuberance air load ramps 
and ice frost ramps, and a very innovative ice reduction redesign changing the liquid oxygen feedline 
brackets from aluminum to titanium. The result of these debris reduction initiatives was roughly a two 
order of magnitude reduction in impact energy for observed debris events during the final flights. And 


during all this effort, the tank project successfully implemented friction stir welding in the manufacturing 
process and transitioned the structural configuration of several major components from aluminum-lithium 
to an aluminum alloy with better weld properties, to improve manufacturability. All these changes were 
accomplished without adding weight to the tank. And of great significance was hurricane Katrina, 
severely damaging the manufacturing facility, and a hail storm which severely damaged a tank while on 
the launch pad. Recovery from these major events, and implementation of all improvements was a 
remarkable accomplishment and are illustrated pictorially, in Figure 2 below. 
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Figure 2. External tank improvements 

REUSABLE SOLID ROCKET MOTOR 

The redesigned solid rocket motor implemented a major booster separation motor redesign, and 
used an “intelligent pressure transducer” for flight data acquisition. The booster separation motor 
redesign was implemented due to the need to procure these components from a new vendor, as the 
previous supplier chose to discontinue production. Additionally, obsolescence drove re-qualification of an 
adhesive used in the nozzle. Several redesigns eliminated low design margins including elimination of an 
inactive stiffener ring and redesign of the propellant forward grain. Several innovative design 
improvements included use of a new o-ring material which had excellent elastomeric properties even at 
low temperature, and inclusion of thermal barrier material within nozzle joints called “carbon fiber rope” 
which absorbed heat and protected joint sealing materials. During this era the delays caused by STS-107 
resulted in the solid rocket motor project assessing age life of previously built units to assure flight 
worthiness. Also during this timeframe a train trestle collapsed during a major hardware shipment, 
requiring extensive engineering evaluation both to recover the affected hardware from the scene of the 
accident, and to re-manifest other hardware to support the flight schedule. Performance of the motors 
was quite remarkable on each flight. 
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Figure 3. Reusable solid rocket motor improvements 

SOLID ROCKET BOOOSTER 

The solid rocket booster element implemented a frangible nut cross over feature and provided 
extraordinary in flight video and data recording. The frangible nut design change significantly reduced the 
risk of having a condition at lift-off called “stud hang-up”. This occasionally induced an undesirable load 
into the aft skirt during lift off from the pad. The in flight video implemented following STS-107 provided 
remarkable ascent videos to observe the vehicle’s potential for ascent debris. Additionally, because the 
boosters were recovered, they were an ideal platform for standalone data systems to record flight data. 
This was done on several occasions, and near the end of flight significant data was collected to 
investigate the potential for thrust oscillations within the solid rocket motor, and to record structural 
response of the hardware as well. Several redesigns were implemented including a change of material 
for the aft external tank attach ring to address a material condition and structural margin issue. And near 
the end of flights a redesigned auxiliary power unit fuel pump eliminated a critical failure mode within the 
pump, improving flight safety. Additional changes included a modification to the power bus isolation 
system to eliminate a failure mode and implementation of a new command receiver decoder, part of the 
range safety system. The solid rocket booster element performance was outstanding and provided 
significant data to resolve and evaluate system level issues. 
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Figure 4. Reusable solid rocket booster improvements 

PROPULSION SYSTEMS ENGINEERING AND INTEGRATION 

And the Propulsion Systems Engineering and Integration project added new capabilities including 
imagery analysis, lift off debris assessment, mitigation of debris risk, and contributed to solutions of a 
number of problems. This included development of a flowliner placard to eliminate a flow induced 
dynamic environment (which could damage a bellows within the main propulsion feed system). This 
office was instrumental in evaluation of the newly acquired ascent imagery implemented following STS- 
107. Additionally, significant improvements in evaluation and control of lift off debris were implemented. 
These included numerous inspections of the pad, awareness of potential foreign object debris, corrective 
actions to abate possible debris sources where possible, and evaluation of an aging flame trench at the 
pad. These and many more are illustrated pictorially in Figure 5. Improvements were implemented in the 
assessment of day of launch wind constraints and the ability to monitor and evaluate lightning events at 
the pad. Main propulsion system personnel were essential in contributing to solutions for a liquid oxygen 
system pre-valve component which exhibited cracking, and for resolution of a flow control valve issue 
discovered when a valve poppet failed during flight of STS-126. To optimize propellant usage, the 
commanded mixture ratio was adjusted, based on system modeling. The integrated propulsion system 
exhibited remarkable success during the final 22 flights. 
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Figure 5. Propulsion systems engineering and integration improvements 

DISCUSSION OF RECURRING THEMES 

In reviewing lessons during the program experienced by the propulsion elements, and by 
examining problem resolution, it was useful to categorize contributors to root cause where possible. The 
first three categories chosen for study included deficiencies in design, inadequate verification of design, 
and/or escapes during manufacturing, processing, and operations. These can be thought of as 
encompassing the systems engineering life cycle for the program or project. The final major category 
chosen was management processes, which at times has been a contributor to poor decision making. The 
purpose is to look for recurring themes, useful for future consideration. These categories are further 
defined and discussed below (see Figure 6). 


Design deficiencies can result in fundamental hardware problems, avionics design and software 
errors, or instrumentation system problems including instrument failure. Some issues can be a result of 
the top level system configuration and/or materials of construction choices made early in the program. 

Inadequate design verification can be can result in consequences during the flight program from 
several sources. Inadequate definition of environments or failure to understand life limits for hardware in 
its use environment can be a contributor. Inappropriate or inaccurate design analyses (or uncorrelated 
analyses) can lead to failures in test or flight. Inadequate testing (hardware or software) for verification of 
requirements, or inability to accomplish adequate combined environment testing has been noted on 
occasion. This is especially true for space launch systems where the combined environments are 
complex (not possible to duplicate them accurately in ground testing). And finally the inability to identify 
interactions among hardware elements, failure to anticipate unintended consequences, or inadequate 
systems integration can lead to problems. 


During manufacturing, processing, and operations, process escapes and human errors can lead 
to undetected issues. These may be traced to inadequate process controls, or problems traced to 
acceptance of discrepant hardware (which did not meet acceptance requirements). Inadequate sub-tier 


vendor controls indicated by inadequate process controls or design standards at a vendor (undetected by 
the prime) have been noted. Acceptance criteria alone may prove insufficient for parts procured from a 
vendor. And finally poor situational awareness where inadequate operational data is available to assess 
risks can lead to in flight issues. 

Poor management processes can be manifested in poor communications where problems are a 
result of the inability to communicate accurate information, or provision of inadequate resources which 
may include factors leading to workforce fatigue. For multi-decade programs loss of corporate knowledge 
and retention of adequate technical skills (with knowledge of the design intent) is difficult. And finally, on 
occasion management processes which led to the acceptance of increasing levels of risk were observed. 
This may be accompanied by accepting deviations from the design intent without implementing corrective 
action, incorrect interpretation of a prior warning, inadequate interpretation of post flight conditions, or lack 
of adequate trend data. 

These categories are summarized in Figure 6. As specific examples of problems experienced 
and solved during the space shuttle flight program are described, the matrix in Figure 6 is used to best 
characterize major contributors to root cause for each lesson or experience. 

• Design Deficiency 

• Hardware - problem traced to a fundamental hardware (including avionics) design 

• Software - problem traced to poor software design or software errors 
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Figure 6. Recurring themes 

PROPULSION SYSTEM MAJOR LAUNCH OPERATIONS OBSERVATIONS AND IN-FLIGHT EVENTS 

Loss of both Solid Rocket Boosters (SRB’s) on STS-4 at water impact: Both SRB’s failed to 
decelerate properly after separation of the frustum from the booster. A change had been implemented to 
include explosive ordnance, designed to deflate the chutes at water impact (by separating half the 



parachute risers). This device activated prematurely at frustum separation. This caused the chutes to 
stream instead of filling, resulting in the loss (sinking) of both SRB’s due to very high water impact 
velocities. The malfunctioning of the switch was due to shock loads induced from the pyrotechnics for 
frustum separation. The settings on the g-switch, intended to activate the chute deflation was found to be 
marginal for this induced shock load. 
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Hydrogen leakage in the aft compartment prior to STS-6: On the maiden flight of Challenger in 
1982, a flight readiness test on the launch pad revealed a hydrogen leak. The launch was postponed. 

The source of the leak was difficult to identify post test, as it emanated from the high pressure portion of a 
main engine; the engine operation was required to experience the leakage. A second flight readiness test 
confirmed the leakage, and special testing was required to finally identify the source, a crack in a weld 
repair on part of the fuel line plumbing. The number one main engine, the one with the leak, was 
replaced. In this case, the hardware repair had been accepted per normal review processes, but the 
crack had grown in service to become an unacceptable condition. 


Design Deficiency 

Inadequate Verification 

Inadequate Mfg., Proc., and Ops. 

Poor Management Processes 

Hardware 


Environments 


Process escapes 


Communications 


Software 


Analysis 


Hardware acceptability 

X 

Resources 


Instrumentation 


Testing 


Sub-tier vendor controls 


Corporate knowledge 


Svs. Configuration 


Consequences 


Situational awareness 


Escalation of Accepted Risk 



Abnormal solid rocket motor nozzle erosion on STS-8: During the flight of STS-8 the 
carbon/phenolic ablative rings on the forward nose of one of the nozzles exhibited a high rate of erosion, 
called pocketing erosion. These ablative rings form the interior contour of the nozzle and protect the 
nozzle’s metal structure from the exhaust gases. The major contributor was determined to be high tensile 
strain in the plane of the carbon cloth fibers. This condition was induced by high thermal conductivity 
along the plies and thermal expansion normal to the plies. The corrective action included a ply angle 
change to the design to reduce the material stresses. 
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STS-51F Space Shuttle Main Engine Shutdown during ascent flight: On STS-51F a premature 
engine shutdown 350 seconds into flight was caused by the high pressure fuel turbopump discharge 
temperature measurements which both exceeded the redline. The other two engines operated longer 
than planned to obtain a successful “abort to orbit”. Post flight inspection confirmed that both temperature 
sensors had failed and analysis of data showed that there was no problem with the engine performance. 
This was the only in-flight SSME shutdown of the Shuttle program. Following the center engine shut- 
down, a sensor in another main engine also failed at the high temperature limit. Premature shutdown of 
the engine was prevented when mission control instructed the shuttle commander to inhibit the protection 
circuitry. Post flight inspection showed that sensor failures were caused by element wire breakage. 
Sensors of a new improved design were used on subsequent flights. The lesson is that instrumentation 
systems can be less reliable than your hardware. 
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STS 51 -L Loss of Crew and Vehicle: The failure of the solid rocket motor field joint sealing 
system during launch of Challenger on January 28, 1986 has been well documented, and investigated by 
the Rogers Commission. The combination of a design which allowed the joint to open during motor 
pressurization coupled with extremely cold temperature on the day of launch resulted in hot gas leakage 
leading to structural failure of the vehicle and loss of the crew. The investigation revealed prior warnings 
of problems with the field joints, and an increasing acceptance of risk as flights proceeded. Redesign 
following the accident corrected the design’s shortcomings, and produced a design that has multiple 
layers of protection. These improvements include a capture feature that greatly reduces gap opening, an 
innovative seal within the segment insulation called a j-leg, joint heaters, and improved assembly 
procedures. The redesign flew successfully throughout the remainder of the program, with no indications 
of sealing problems. A number of cultural, managerial, and decision making process improvements were 
implemented, and the government/industry team performed exceedingly well during the remainder of the 
program. 



Figure 7. Solid Rocket Motor Field Joint Redesign 
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On Pad Aborts: While preparing for STS-41 D on June 26, 1 984 the countdown for the second 
launch attempt for Discovery’s maiden flight ended at T-4 seconds when the main engine controller 
detected a sluggish valve in main engine number three. The main engine was replaced and Discovery 
launched on August 30, 1984. This launch attempt marked the first time since Gemini 6A that a crewed 
spacecraft experienced a shutdown of its engines just prior to launch. During preparation for STS-51 F on 
July 12, 1985, Challenger’s countdown halted at T-3 seconds due to a problem detected with a coolant 




valve on main engine number two. The valve was replaced and Challenger was launched on July 29, 
1985. And while preparing for the launch of STS-55 on March 22, 1993, Columbia’s countdown halted at 
T-3 seconds when a problem was detected with a purge pressure reading in the oxidizer preburner on 
main engine two. All three main engines were replaced on the pad, and the flight was rescheduled after 
STS-56 and launched on April 26, 1993. In preparation for STS-51 on August 12, 1993 the countdown 
for Discovery’s third launch attempt halted at the T-3 second seconds when a main engine controller 
detected failure of one of four sensors in main engine number two which monitor hydrogen flow. All 
three main engines were replaced on the pad, delaying the fourth launch attempt until Sept. 12, 1993. In 
preparation for STS-68 on August 18, 1994, Endeavour’s countdown was halted at 1.9 seconds before 
liftoff when a higher than acceptable reading in one sensor monitoring the discharge temperature of a 
high pressure oxidizer turbopump was detected. A test firing of the engine at the Stennis confirmed a 
slight drift in a fuel flow meter in the engine that caused a slight increase in the turbopump’s temperature. 
The test firing also confirmed a slightly slower start for main engine number three during the pad abort, 
which could have contributed to the higher temperatures. Following replacement of all three main 
engines in the Vehicle Assembly Building, Endeavour was launched on October 2. Launch commit 
criteria have been a key in detecting problems, prior to flight, contributing to mission success. 
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Hydrogen leakage STS-35: The launch was first scheduled for May 16, 1990 but was scrubbed 
during tanking due to a leak in the external tank to orbiter 17-inch quick disconnect assembly. Hydrogen 
was also detected in orbiter's aft compartment but was believed to be associated with leak involving 17- 
inch umbilical assembly. This hardware was replaced in the vehicle assembly building and Columbia 
rolled out to Pad A for second time. During tanking, high concentrations of hydrogen were detected in 
orbiter's aft compartment, forcing another postponement. NASA managers concluded that Columbia had 
experienced separate hydrogen leaks from beginning; one from the umbilical assembly (now replaced) 
and one or more in aft compartment which had resurfaced. Suspicion focused on three hydrogen 
recirculation pumps in aft compartment. These were replaced and retested. However, the fuel leak in aft 
compartment resurfaced again during tanking and the mission was scrubbed. The STS-35 mission was 
put on hold until the problems were resolved by a special tiger team assigned by the space shuttle 
program. The hydrogen leak investigation team analyzed available data from previous tests and 
developed a fault tree which identified suspect joints for further test and inspection. In addition, leak 
check and gas detection methods were reviewed. A suspect joint list was developed based on the fault 
tree and each of these joints was repaired and/or re-torqued. Following systematic leak checks and 
another tanking test using special instrumentation the leak was finally eliminated and the mission 
proceeded. When dealing with hydrogen systems, processes must assure adequate sealing system 
performance. 


Design Deficiency 

Inadequate Verification 

Inadequate Mfg., Proc., and Ops. 

Poor Management Processes 

Hardware 


Environments 


Process escapes 


Communications 


Software 


Analysis 


Hardware acceptability 

X 

Resources 


Instrumentation 


Testing 


Sub-tier vendor controls 


Corporate knowledge 


Sys. Configuration 


Consequences 


Situational awareness 


Escalation of Accepted Risk 



STS-78 Pressure Sensitive Adhesive: Hot gas penetrated past the tips of solid rocket motor j- 
legs (an innovative thermal barrier which inhibits gas flow to the motor case joints) on STS-78 launched in 
July 1996. A new environmentally friendly pressure sensitive adhesive was used for the first time on this 
flight. The new adhesive had worked well in static testing. Investigation revealed that the humid 
environment at Kennedy Space Center reduced the strength of the adhesive. The corrective action was 
to return to the baseline adhesive. Verification testing must include all operating environments and 
parameters. 
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STS-91 SSME Chamber Pressure Channel A Failure: On 06/02/1998, during Discovery’s ascent, 
the Main Combustion Chamber (MCC) Chamber Pressure Channel A sensor ceased to respond on main 
engine one. During throttle down, channel A exceeded the 200 PSID limit (the sensor did not follow the 
engine power level). Main Engine one was controlled by Channel B for the remainder of ascent. No 
engine problems were experienced and Discovery continued to a nominal orbit insertion. The channel A 
sensor, however, remained qualified for redline monitoring by the controller, since it was with reasonable 
limits. If the engine had experienced a real problem that drove the engine to a chamber pressure redline, 
sensor B (the good one) would have called for an over-speed shutdown which would have been ignored 
by the controller because sensor A (the bad one) remained qualified for redline monitoring. Hence redline 
protection had been lost. Contamination was found (post flight) to have plugged the chamber pressure 
port (a material from a leak check performed during engine manufacture). Control of foreign object debris 
is essential. 


LTMCC 

Forward Manifold 



Lee- Jet 

Figure 8. Contaminated Chamber Pressure port 
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STS-93 Orbiter wiring and Space Shuttle Main Engine (SSME) nozzle tubes punctured during 
ascent flight: Two serious in-flight anomalies occurred during ascent flight on STS-93. One main engine 
controller primary circuit, and one back-up circuit, on separate engines dropped offline when an Orbiter 
AC power bus experienced a short circuit 6 seconds after liftoff. The redundant controller circuits (one on 
each engine) worked throughout ascent, but redundancy had been lost on two engines. This flight 
observation initiated a system level inspection of all Orbiter wiring. Clearly redundancy management had 
been key to mission success. Additionally, on STS-93, a nozzle fuel leak on one engine resulted in a 
premature main engine shut down (low level liquid oxygen cutoff) due to an SSME liquid oxygen pin being 
ejected from an injector post in the main combustion chamber. The pin penetrated 3 nozzle coolant lines 
causing a hydrogen leak from the nozzle. The loss of fuel caused the main engine controller to increase 
power level (an increase in turbine power requires an increase in oxidizer flow) which depleted oxygen 
prematurely. Acceptable orbit insertion, or orbital velocity, was provided by the Orbiter Maneuvering 
System, post main engine shutdown. Corrective action called for elimination of pins used in the main 




combustion chamber liquid oxygen posts. Redline protection was essential in achieving mission 
success. 



Figure 9. Punctured nozzle coolant tubes from STS-93 
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STS 112 Pyrotechnic Initiator Controllers (PICs) did not discharge: On STS 112 in 2002, half the 
critical pyrotechnic systems, which release the shuttle from the launch pad, did not work. Post launch 
review indicated that the Pyrotechnic System A Hold Down Post (HDP) and ET Vent Arm System 
(ETVAS) Pyrotechnic Initiator Controllers (PICs) did not discharge. The most probable cause was 
narrowed down to loss of the fire command due to a single wire path failure at the T-0 interface. Solid 
Rocket Booster exhaust and salt-spray environment of the pad likely created corrosion on the connectors. 
This corrosion eventually interrupted safety-critical circuits. Because the systems had redundancy, the 
flight launched successfully. The connectors were inspected for corrosion on subsequent flights. 
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STS 107 Loss of Crew and Vehicle: The loss of crew and vehicle during entry of Columbia on 
February 1 , 2003 was a result of debris damaging the Orbiter wing during ascent. This accident was well 
documented by the Columbia Accident Investigation Board report. Prior warnings of debris damage had 
been evident throughout the history of the program, but had usually been treated as a maintenance and 
refurbishment item. Following STS-107 corrective actions were implemented to remove sources of foam 
debris where possible, improve process controls, and preclude ice formation in selected components as 
well. The debris risk mitigation efforts continued as the flight program continued. Generally the effect of 
debris mitigation efforts during the final 22 flights resulted in a two order of magnitude reduction in 
possible impact energy. The program also implemented on orbit inspection to assess the Orbiter heat 
shield prior to entry, and developed a thermal protection system repair capability if needed during orbit. 





The resulting redesigns and operational procedures enabled successful management of risk during the 
remainder of the flight program. 



Figure 10. STS-114 External Tank Redesigns resulting in Reduced Ascent Debris Risk 
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Summary from the major launch operations observations and in-flight events: It is apparent from 
the summary table below that a number of issues were related to design, verification, and processing. 
Design changes must always be assessed for unintended consequences, and require adequate 
certification. Redundancy management was a key to success on several occasions. Also, 
instrumentation systems can be less reliable than the hardware it is monitoring. Control of foreign object 
debris is essential. Wiring and connectors in a reusable system can be especially vulnerable to wear and 
collateral damage. The program’s management processes were criticized following the major failures, as 
risks were poorly communicated, and increasing levels of risk were accepted without corrective action. 
Situational awareness, good communications, adequate resources, and a clear understanding of 
accepted risk are essential to success. The consequences of failure were severe, loss of life, loss of 
mission, and change of space policy. Where possible, drive out failures via ground testing or non crewed 
flight testing. 
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Loss of both Solid Rocket Boosters (SRB's) on STS-4 
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Hydrogen leakage in the aft compartment prior to STS-6 
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Abnormal solid rocket motor nozzle erosion on STS-8 
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STS-51F Space Shuttle Main Engine Shutdown during ascent flight 
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STS 51-L Loss of Crew and Vehicle 
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Hydrogen leakage STS-35 
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STS-78 Pressure Sensitive Adhesive 
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STS-91 SSME Chamber Pressure Channel A Failure 
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STS- 93 Orbiter wiring and Space Shuttle Main Engine (SSME) during ascent flight 
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112 Pyrotechnic System Pyrotechnic Initiator Controllers (PICs) did not discharge 
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STS 107 Loss of Crew and Vehicle 
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The Final 22 Flights 

Surprisingly, a number of design changes were made late in the program, to address known 
problems, or to implement planned upgrades. Several of these are briefly discussed here. While these 
are not major redesigns or block upgrades, all had to be evaluated for unintended consequences. 
Occasionally these consequences also had to be addressed. Additionally problems worked are 
summarized, best characterizing root cause as above. Issues involving design or design changes are 
discussed first, followed by issues related to processing. Finally, some items where new knowledge 
about the system was acquired after all these years are discussed, followed by some unique observations 
related to unexpected events. 

ISSUES RELATED TO DESIGN OR REDESIGN. AND VERIFICATION 

External Tank (ET) Liquid Hydrogen Tank (LH2) Ice Frost Ramps: A unique opportunity arose 
following STS-1 14, when an External Tank (ET-120) was returned to the manufacturing facility after 
undergoing two cryogenic cycles on the launch pad. Detailed inspection of a flight tank following partial 
operation had never been done before. Dissection data of the thermal protection foam material from ET- 
120 (post cryogenic cycling) revealed significant foam cracking and delaminations within the liquid 
hydrogen tank ice frost ramps and protuberance air load ramps (PAL). The PAL ramps were 
subsequently removed. Subsurface cracking and delaminations in the ice frost ramps, were believed to 
be linked to stresses induced by thick foam. Reducing foam thickness was thought to be a solution. 
However, reshaping the ramps revealed conflicting thermal and debris requirements and did not address 
root cause. Subsurface cracks and delaminations were later found to be caused by cryogenically induced 
liquid air intruding into “built-in” leak paths and reservoirs. Once the failure mode was fully understood, a 
redesign was initiated which met thermal and debris requirements. Additionally, identification of the 
correct failure mode enabled updated risk assessments showing greatly reduced ascent debris risk from 
these ramps. The lesson to remember is that failure modes and effects must be fully understood and 
characterized. The ability to get direct inspection of actual hardware after service is invaluable. 



Figure 11. Liquid Hydrogen Tank Ice Frost Ramps 
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Redesign of the Liquid Oxygen Feed-line Bracket: A significant change implemented during the 
final 22 flights was the redesign of the feedline support brackets (from aluminum to titanium) greatly 
reducing the risk from ice debris, and eliminating a failure mode discovered at the bracket to feedline 
interface. The material change greatly simplified the foam closeout on the bracket, and dramatically 
reduced ice formation on the bracket. The initial redesign included a gap at the bracket to feed-line 
interface, susceptible to ice formation. Ice growth at these interfaces could bridge the gaps between the 
bracket and feedline, and subsequent articulation of the joints could cause the foam to crack. This could 
have resulted in ice and foam debris. Flight video data from STS-1 18 revealed the potential debris risk 
(from an aluminum bracket with a similar gap), and a slip joint was successfully added to the redesign, 
eliminating the gap (and ice). This design was extremely successful, flying on twelve of the final twenty- 
two flights. 



Figure 12. Liquid Oxygen Feedline Titanium Bracket 
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Solid Rocket Booster (SRB) Pyrotechnic Cross-over Redesign and Debris Containment Plunger 
Failure: During launch of STS 126 video showed the SRB hold-down post (HDP) plunger spring, and 
plunger, extending during liftoff from the debris containment system. Concurrent with this launch a design 
change had been implemented to reduce the occurrence of a condition called “stud hang-up” a recurring 





anomaly during the program. A pyrotechnic crossover feature had been added to the SRB frangible nut, 
part of the system which released the Shuttle from the pad. The change enabled nearly simultaneous 
firing of two pyrotechnic charges in the nut. The crossover successfully mitigated the potential for stud 
hang up, but an unintended consequence was discovered. The decreased pyrotechnic skew time (the 
time between the two charges firing) increased the velocity of the debris containment system plunger, and 
increased the chance of a plunger being released. A design modification (called retention blocks) was 
successfully implemented within the debris containment system housing to address this issue for STS- 
119 and subsequent missions. All changes must be evaluated for potential unintended consequences. 



Figure 13. Pyrotechnic cross over and plunger/spring released during lift-off 
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Ground Umbilical Carrier Plate (GUCP) Disconnect: A recurring problem during the program was 
leakage from the ground interface disconnect for the hydrogen vent line from the External Tank to the 
hydrogen burn stack. Leakage from the GUCP had been a nuisance occasionally during the program, 
and recurred on STS-119 and again on STS-127. Seals and interface hardware were replaced. The 
problem recurred on STS-133 and a detailed alignment procedure was developed to align the ground 
system interface to the flight seal with a high degree of concentricity. The corrective actions enabled 
process and assembly controls to be adequate to meet the design intent. One lesson is, if you are not 
able to identify root cause and implement corrective action, anticipate recurrence sometime in the future. 
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Redesign of Space Shuttle Main Engine High Pressure Oxidizer Pump Knife Edge Seals: 

Inboard and outboard turbine exit knife edge seals in the High Pressure Oxidizer Turbopump (HPOTP) 
were redesigned in order to fix two different problems (one problem with each of the two seals). Changes 
were certified through analysis, component test, and engine testing. Significant testing was required to 
identify root cause and to certify the design change. The entire effort took three years to work the 
redesigned hardware into the flight program. The redesigned outboard seal incorporated damping to 
resolve a fluid-structure instability which was most likely induced by certain combinations of effects from 
the surrounding flow (certain flow rates, pressures, etc.). The redesigned inboard seal incorporated a 
single larger tooth to eliminate acoustic interactions. This design change was essential in eliminating a 
life limit on the pumps, which was a significant impact to flight operations. 
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Solid Rocket Motor Operational Pressure Transducer (OPT) Redesign: During the final flights of 
the program a change was implemented to replace the flight OPT’s with a newer design (from a new 
vendor because the original supplier had gone out of business), first implemented on STS-1 14. Twelve 
units of the new OPTs were successfully flown before an OPT failure occurred on STS-1 17 during the 
pre-flight Shuttle Interface Test (SIT). Workmanship and design deficiencies were identified via a failure 
investigation. It was determined that the circuit boards, as designed, did not meet design standards. 
Redesign and re-qualification of this design was completed but not flown. The remainder of the flight 
program was completed using the previous vendor’s units. The redesigned units were held as spares. 
The key lesson is that sub-tier vendor design standards and process controls must meet flight standards, 
and the prime contractor must assure acceptability of their procured parts. 


Design Deficiency 

Inadequate Verification 

Inadequate Mfg., Proc., and Ops. 

Poor Management Processes 

Hardware 

X 

Environments 


Process escapes 


Communications 


Software 


Analysis 


Hardware Acceptability 


Resources 


Instrumentation 


Testing 


Sub-tier vendor controls 

X 

Corporate knowledge 


Svs. Configuration 


Consequences 


Situational awareness 


Escalation of Accepted Risk 



ISSUES RELATED TO MANUFACTURING. PROCESSING. AND OPERATION 

STS-1 14 Increased Number of LH2 Pre-pressurization Cycles: In preparation for STS-1 14 an 
increased number of cycles were noted during pressurization of the hydrogen tank to flight pressure 
levels. The cause was determined to be an out of configuration screen material for diffusers installed in 
the pressurization system. The condition was found to exist on several tanks. The screen material 
installed was not per engineering requirements (discovered at sub-tier supplier). A plain dutch weave 
wire was specified but a duplex dutch weave wire was used during manufacturing. This altered the 
pressure drop in the diffuser and changed the system response (pressure cycling). A redline on number 
of cycles was in effect, to attempt to detect hydrogen leakage from the vent valve, and this out of 
configuration part made violation of the redline a possibility. As corrective action all out of configuration 
diffusers were replaced. The lesson is that sub-tier vendor controls, and material acceptance inspections 
must insure proper configuration. 
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STS-1 33 External Tank Cracked Stringer: During preparations for launch of STS-1 33 stringer 
cracks were observed on the External Tank intertank liquid oxygen flange during propellant loading. 
Subsequent cracks were identified by nondestructive evaluation following roll back to vehicle assembly 
building. Extensive root cause investigation was performed and identified two primary contributors, first a 
material with low fracture toughness (isolated to two lots of material) had been used during assembly, and 
second loads and resulting residual stresses had been imparted during assembly of stringers due to 
tolerance stack up. A corrective action was successfully implemented by reinforcing the stringer feet near 
the end of the stringer. The lessons include the need for adequate sub-tier vendor controls, and material 
acceptance inspections must assure proper configuration. Also, design and assembly tolerances must 
accommodate the potential for residual stresses. 






A 



Figure 14. External Tank stringer cracks 
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SRB Ordinance ring installation (linear shape charge rotation): During STS-120 the Linear Shape 
Charge (LSC) failed to cut 22 inches of the frustum to forward skirt attach ring. The frustum separated 
successfully, but concern existed for future flights. An investigation determined that the failure to cut 
resulted from a rotated LSC subassembly (i.e. the LSC angle was too great for jet penetration). Analysis 
determined that the subassembly rotation was possible, based on dimensional data measure from actual 
lots. The corrective action included enhanced LSC installation techniques to minimize the potential 
rotation. Also an additional inspection, via nondestructive x-ray, was developed and added on all 
ordnance rings post installation to assure the LSC position. 
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Gas Generator O-ring Nondestructive Evaluation: During gas generator injector stem o-ring 
installation, in preparation for assembly of a solid rocket booster auxiliary propulsion unit, one of the 
rubber o-rings was rolled onto the installation bullet and the o-ring broke in half. The cause was 
determined to be use of a new x-ray machine at the vendor. The power level was sufficient to cause the 
o-ring material to become brittle. Corrective actions included test demonstration that the new machine 
could be programmed to prevent degradation of the O-ring material. 
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Space Shuttle Main Engine Powerhead missed post-proof Nondestructive Evaluation: It was 
discovered that several powerhead welds had not received penetrant inspection after the final top 
assembly proof pressure test. The planning paper for the proof test of powerheads had been modified to 
eliminate interim powerhead proof pressure tests. The planning modification did not appropriately 
incorporate the post-proof penetrant requirements for the welds. An investigation began after first escape 
was noted in order to determine scope and number of units affected. All hardware was assessed for 
acceptability and several inspections were conducted in the field. Inspection requirements must not be 
lost when processing changes are made. 
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Operational Pressure Transducers (OPT) Configuration Management: It was discovered during 
preparations for STS-1 19 that twelve of twenty-five Operational Pressure Transducers, OPT’s that had 
been designated “non-flight” (because they had experienced test environments exceeding flight 
environment), were flown on the Shuttle. The configuration management process should have prevented 
these OPTs from entering into flight inventory, but did not. The corrective actions included review of 
drawings to verify that all discrepant hardware was removed from flight inventory. All STS-1 19 OPT’s 
were removed and replaced. The lesson here is that flight hardware configuration and inventory control 
must be strictly maintained. 
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Weatherseal Debris - Missed Removal of Polyethylene Ply Backing: A thin Silica Filled Ethylene 
Propylene Diene Monomer (SF-EPDM) cap ply is placed over the butt joints of the RSRM factory joint 
extruded SF-EPDM weather-seal. The cap ply comes from the vendor with a poly backing on it and is 
supposed to be removed before assembly. A small piece of missing SF-EPDM weather-seal was found 
during STS-1 22 post-flight inspection. Further investigation determined that the poly backing on the cap 
ply had not been fully removed prior to application. This posed the potential to become a debris source 
and led to inspection of all accessible hardware in the fleet. A risk assessment was required prior to 
flight. 
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RepliSet Contamination: RepliSet contamination was found in Engine 2058, after its maiden 
flight, during post flight inspections. The source was identified as a flowliner mold material from molds 
taken prior to STS-1 21 . These inspections were to check for cracks in the flowliner bellows. The concern 
was raised for foreign object debris in all engines since molds were taken on all flow-liners. It was found 
that the repliset application and removal techniques did not guarantee all molds were removed intact. 

This was an oversight resulting from the flow-liner investigation by instituting an inspection without 
considering potential unintended consequences. The corrective actions included engine inspections and 
the elimination of repliset molds. Processing inspections must be evaluated for unintended 
consequences. Foreign object debris must be controlled. Everything that touches the flight hardware 
must be controlled. 
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Main Injector Face Nut Staking: Engine inspections noted two face-nuts improperly staked in the 
main combustion chamber. The concern was that the Main Injector LOX Posts could become loose 
during engine operation. The face-nuts had been replaced due to minor erosion during routine 
processing in the engine shop at the launch site. Review of staking procedures showed that tooling used 
during manufacturing was different from that used in the engine shop for the staking procedure. 

Additional tools were created and sent to all sites where face nut staking might be required. Procedures 
and tooling should be consistent across multiple sites. 
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STS-127 and STS-128 Nozzle Hotwall Leakage: A post-flight hotwall leakage increase on two 
nozzles was noted. Inspections showed presence of high levels of chloride ions which is well known 
corrosion accelerant. Investigation also found that the sponges used to apply corrosion inhibitor 
contained high levels of chloride ions. Use of these sponges was discontinued. The affected nozzles 
were repaired, cleaned and dry purges were implemented to protect against any future occurrence. 
Further investigation showed that a change in the procurement specification had allowed the sponges to 
become available in inventory. Interestingly, a similar condition had been identified years earlier during 
external tank manufacturing. A timeline is shown in Figure 15 below. Lessons are that adequate 
specifications are necessary for everything that touches the flight hardware and that process controls 
must be assured for multi-decade, multi-element programs. Implementation of effective problem reporting 
and corrective actions systems across a multi-element program, with multiple prime contractors and 
independent reporting systems, is quite a challenge. 



Figure 15. Timeline describing unrelated corrosion events. 
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External Tank (ET) Inter Tank Foam Loss: Unexpected foam losses occurred from the ET 
Intertank during ascent of STS-127. Imagery indicated visible areas of shiny primer from loss sites, 
indicating adhesion failures. Although the root cause could not be determined, most probable cause was 
inadequate cleaning of the surface prior to foam application. This was the first intertank to be processed 
following the plant shutdown after STS-107 and also following hurricane Katrina and damage to the plant. 
Since all remaining intertanks had already been sprayed at the time of STS-127, corrective action 








consisted of performing bond adhesion testing (sampling) on future intertanks. Since it is not over 100% 
of the area, the sampling could only provide confidence that the cleaning anomaly was not widespread or 
systemic. Unexpected events (i.e. Katrina) can lead to consequences revealed only in flight performance. 
Ensure that adequate controls/verifications are in place for critical processes. If you are unable to 
implement corrective action, anticipate recurrence in the future. 



Figure 16. Example of inter tank foam losses due to poor bond adhesion 
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STILL LEARNING AFTER ALL THESE YEARS 


Dynamic Environments: Amazingly, environments were updated throughout the program. Even 
during the final 22 flights a number of assessments were required to respond to changes in system level 
environments. Captured here are element level dynamic environments which were updated several times 
during these flights. In 2005 a review of RSRM static firing motor case measurements (random vibration 
environments) indicated that vibration criteria did not encompass the worst case environment. The result 
of the review required an instrumented system tunnel and linear shape charge, during a static motor 
firing. The new environments derived necessitated delta qualification for the range safety system (RSS) 
liner shape charge (LSC). For STS-124 a pyrotechnic shock waiver was required, when it was 
discovered that an anti-alias filter was not used during safe and arm (S&A) pyrotechnic shock testing. 
Delta qualification for the S&A device was required prior to STS-1 19. Additionally shock load testing was 
required for the aft booster separation motors. For STS-1 25 a motor ignition shock environment was 
defined, which again necessitated delta qualification for the new environments. Ignition shock loads were 
assessed for the aft exit cone LSC and operational pressure transducer, and delta qualification for this 
nozzle severance LSC was required. In 2010 in preparation for STS-1 30, development of random 
vibration criteria for the Ares five-segment motor highlighted an observation that RSRM full-scale static 
test random vibration data exceeded requirements at discreet frequencies and motor locations. All 
components were reassessed, and the range safety system LSC required lot acceptance delta 
qualification testing. All of these environment updates required extensive engineering analysis and 
testing for component re-qualifications, but no hardware modification was ever required. These 
assessments also required extensive integration with the range, for range safety system components. 
Additionally, as late as STS-1 30, the orbiter became concerned with ignition overpressure environments 
in the base region of the vehicle due to main engine ignition. Accelerometers and acoustic microphones 



were added to better characterize the environment and reduce the uncertainties applied to the loads 
analyses. Clearly dynamic environments should be understood and quantified such that hardware 
certification is not repeated. 
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External Tank external feed through connector - Engine Cut off Circuits: Beginning at STS-1 14, 
the frequency of liquid hydrogen engine cut off circuit failures increased. These failures seemed random, 
“healing” after the tank was drained and often did not recur on subsequent tank loadings. These 
remained unexplained and seemed to have stopped failing after sensors improvements were 
implemented. Following another failure on STS-122, however, the problem was finally isolated to the 
feed-through connector on the LH2 tank. The root cause was determined to be an open circuit at the 
pin/socket interface caused by relative motion in the presence of cryo-induced contamination (solidified 
air). The connection was redesigned to solder the sockets directly to the pins. The increased failure rate 
was likely caused by a subtle change to the socket design combined with extended connector durations 
in the mated condition (years vs. months). Interestingly, a similar problem and identical corrective action 
had been noted on the Atlas/Centaur program. Lessons include; ensuring that hardware is adequately 
qualified for its usage environment and the expectation that failures involving contamination will be 
random. Be aware of age life issues and pay attention to vendor/sub-tier vendor changes. Assess the 
effects of phase change when using liquid hydrogen, and treat frozen gases as potential contaminants. If 
you are unable to identify root cause and implement corrective action, anticipate recurrence in the future. 
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Solid Rocket Booster Aft Booster Separation Motor Debris: During STS-1 16 imagery captured a 
Booster Separation Motor (BSM) heat seal Thermal Protection System (TPS) debris impact on orbiter 
during ascent. Debris from this area was previously believed to have no transport potential to the orbiter 
vehicle. The Booster Trowelable Ablative (BTA) closeout was subsequently modified to mitigate debris 
liberation. The design modification significantly reduced debris mass while maintaining thermal and 
structural requirements. Analysis showed that the design modification was acceptable, eliminated the 
failure mode, provided consistent aft heat seal separation, and minimized possible debris. Demonstration 
testing was accomplished which verified the predicted failure region and limited debris size. Here, 
imagery collection during flight was invaluable in identification of unexpected failure modes and 
consequences. 
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Power Bus Isolation Supply (PBIS) Transformer: Testing and evaluation determined that the 
Integrated Electronic Assembly (IEA) PBIS transformer solder joints were susceptible to fatigue due to a 
potential for inadequate strain relief combined with exposure to thermal and vibration environments of 
flight. Even though this device was criticality 3 (data only), a thorough investigation was accomplished to 
assess the potential for failure propagation. Evaluation indicated that an open circuit in this non-critical 
device could potentially result in a current draw that might result in loss of a solid rocket booster power 
bus (loss of critical redundancy). An innovative external fuse design was implemented which isolated the 
PBIS. Testing verified other systems were not affected by operation of the PBIS fuse. The fuse 





removed the critical failure mode. Don’t just remove and replace “non-critical” devices, follow thru on 
failure investigations and with corrective actions where needed. 
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Flow Control Valve Failure: During ascent flight of STS-126, a main propulsion system flow 
control valve poppet broke, potentially allowing excess gaseous hydrogen to enter the External Tank (ET) 
ullage. Because there were three flow control valves, adequate pressurization was maintained during this 
flight. The crack initiation was most likely generated during ground processing. Lack of adequate pre- 
flight inspection methodology allowed for unchecked crack growth during flight, leading to failure. The 
most probable contributor to the failure was a high frequency acoustic environment induced uniquely 
during ground testing. The corrective action included enhanced inspections using several non destructive 
methods for the remainder of the program. All environments, including ground processing, must be 
assessed during hardware verification. 
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Lift Off Debris: For each mission beginning with STS-1 14, liftoff debris has been generated that 
has required assessment. Liftoff debris can be the result of the aging structure characteristics (rust), 
process escapes (forgotten tools/hardware), ice generation, and a result of the launch the environment. 
Examples of expected liftoff debris include rust, ice, frangible nut fragments, range safety coax cable 
remnants, and others. Mitigations included periodic pad walk downs and known debris source mitigations 
such as rust removal and painting. Aging facilities must be assessed for structural integrity and debris 
risk. 
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Unexpected Events can dramatically affect Programmatics: Unexpected events can affect the 
program in numerous ways. On the launch pad wind and lightning events can result in the need to 
reassess hardware configuration. A hail storm badly damaged an external tank prior to STS-1 17, 
requiring repair resulting in schedule delays. Launch delays in turn lead to longer exposure to the natural 
environment. In a very unexpected event, a train wreck including a trestle collapse occurred during 
shipment of solid rocket motor segments requiring urgent attention. And hurricanes including Katrina and 
Frances damaged critical manufacturing and assembly facilities. Unusual events require unique 
responses and diligence in implementing a recovery process. 



Figure 17. Unexpected Events 






Affect of Launch Scrubs: Shuttle launched only about 50% of the time the tank was loaded 
during the final flights. Roughly 50% of scrubs were due to weather and the others were hardware 
issues. Launch scrubs can cascade into a sequence of unintended or unexpected events (wind, 
lightning, rain, hail, and additional hardware problems), and can lead to workforce fatigue. The table 
below summarizes the launch history for the final 22 flights. 



SCRUB - 
Hardware 

ON PAD 
ABORT 

LAUNCH 

TOTAL 



* ET-119 replaced ET-iso 

** ET-iso tanked twice for STS- 114, then returned toMAF 


Table 1 . Launch scrub history for the final 22 flights 


Summary from the Final Flights: The final flight era certainly had issues to address. Remember 
this is the same complex vehicle architecture envisioned in the 1970’s. The Shuttle system was complex 
and choice of configuration and material systems led to operational impacts. Integration of the vehicle 
was difficult. The missions were far from routine. Issues ranged from design, to environments definition, 
and unintended consequences. As you would expect a number were related to processing during this 
era. And a key message is that sub tier vendor controls are important, and difficult to implement. Control 
of sub tier vendors varies across multiple prime contractors so this requires management awareness and 
attention. But also apparent from the summary table below, is that the management processes were 
excellent during this era of the program. Management of risk, acknowledgment of accepted risk and 
situational awareness improved dramatically. When problems arose the leadership team enabled 
collection and assessment of pertinent data, and management made informed decisions. Some items to 
remember are summarized below. 

■ Be aware of all changes, and assess all changes for unintended consequences 

■ Assess phase change when using liquid hydrogen, and treat frozen gases as potential 
contaminants. Expect failures involving contamination to be random 

■ Be aware of age life issues and vendor/sub-tier vendor changes 


































■ If you are not able to identify root cause and implement corrective action, anticipate recurrence 
sometime in the future 

■ Multi-decade programs are rife with opportunities for configuration escapes 

■ Adequate specifications are necessary for everything that touches the flight hardware 

■ Not all circuitry is readily available for checkout, in the launch configuration 

■ Shuttle launched only 50% of the time the tank was loaded with propellants, roughly 50% of the 
launch scrubs were due to weather, the rest were hardware related 

■ Launch scrubs can lead to a sequence of unexpected events (further exposure to wind, lightning, 
rain, hail, and additional hardware problems) and can lead to workforce fatigue 

■ Expect unexpected events requiring unique responses 

■ Situational awareness is essential during critical operations 

■ Imagery collection during flight is invaluable in identification of unexpected failure modes 
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X 
















Redesign of the Liquid Oxygen Feed-line Titanium Bracket 
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Solid Rocket Booster (SRB) Pyrotechnic Cross-over Redesign and Debris Containment Plunger Failure 
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Ground Umbilical Carrier Plate (GUCP) Disconnect 
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Redesign of Space Shuttle Main Engine High Pressure Oxidizer Pump Knife Edge Seals 
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Solid Rocket Motor Operational Pressure Transducer (OPT) Redesign 
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STS-114 Increased Number of LH2 Pre-pressurization Cycles 
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STS- 133 External Tank Cracked Stringer 
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SRB Ordinance ring installation (linear shape charge rotation) 
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Operational Pressure Transducers (OPT) Configuration Management 
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PROJECT MANAGEMENT BEST PRACTICES 

The conclusion of the program resulted in successful completion of the International Space 
Station and the final servicing mission for the Hubble Space Telescope. The final flights were among the 
best in debris performance, and the propulsion element performance was superb. 




ISS configuration, STS-114 


ISS configuration, STS-135 


HST servicing, STS-125 



During the program a number of project management processes were implemented and 
improved. Technical performance, schedule accountability, cost control, and risk management were 
effectively managed and implemented. Award fee contracting was implemented to provide performance 
incentives. The Certification of Flight Readiness and Mission Management processes became very 
effective. Risk management, as depicted in Figure 18 became routine within the program and propulsion 
elements. 
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Project Management evolved as Government/Industry 
partnerships dealt with complex risks during the Shuttle Program 


Figure 18. Management of Risk evolved during the Program 


Perhaps the most important aspects of success were related to relationships developed with the 
prime contractors, which evolved to become very successful government/industry partnerships. A key to 
the success of the propulsion element projects was related to relationships between the MSFC project 
office and support organizations, with their counterpart contractor organizations. The teams worked 
diligently to understand and satisfy requirements of the project. Frequent team building, daily 
communications, continuous feedback, and operating with openness created a climate where teams 
cooperatively resolved challenges and continually looked for ways to learn and improve. Even at the 
material suppliers and their sub-tier suppliers periodic visits were made to improve understanding and 
importance of space program requirements, and their impact on mission success. Teams used visits, 
presentations, videos, symposiums, seminars, other events to share the importance of product 
consistence. Trust and development of personal relationships were key features of the strong 
government/industry teaming, to solve problems, and complete the mission. 


Engineering also evolved during the 30 year program. As difficult problems were solved, 
engineering disciplines improved and evolved. New computational capabilities evolved and analysis tools 
were developed to address specific problems. Advanced computer aided design and manufacturing, new 
non destructive evaluation techniques, advanced materials including composites, and advances in 
fracture mechanics and failure analysis all contributed to hardware evolution and problem resolution. 
Figure 19 illustrates the improvement in engineering capability as new techniques became available and 
as they were applied to solutions of difficult problems. The government/industry teams were especially 
effective in accomplishing failure analysis, as both teams brought unique and complementary skills. The 
management and engineering teams evolved to a culture of continuous improvement and were very 
effective in completion of the program. 





Figure 19. Evolution of Engineering Capability 

Summing this up into major categories and recommended practices, the table below captures 
major items described in this paper. The propulsion elements and the Shuttle Program evolved during 
the flight program and in the final era of flight implemented excellent management and engineering 
practices, and exhibited many of these attributes. 



Desirable Attribute 

Design 

Block upgrades are an effective method to incorporate design changes 

Redundancy management is essential in critical systems 

Assure that instrumentation systems are more reliable than the hardware it is monitoring 

Design and assembly tolerances must accommodate potential for residual stresses 

Thoroughly assess the choice of configuration and material systems for operational impacts 

Verification 

Seek to drive out failures via ground testing or non crewed flight testing 

Imagery collection during flight is invaluable in identification of unexpected failure modes 

Dynamic environments should be properly understood and quantified 

All environments, including ground processing, must be assessed during hardware verification 

Where simulation of combined flight environments in ground test is not possible, collect flight data 

Be aware of all changes, assess design changes for unintended consequences, and require adequate certification 

Manufacturing, Processing, 
and Operations 

Control of foreign object debris is essential 

Wiring and connectors in a reusable system can be especially vulnerable to wear and collateral damage 

Assess phase change when using liquid hydrogen, and treat frozen gases as potential contaminants 

Expect failures involving contamination to be random 

Be aware of age life issues and vendor/sub-tier vendor changes 

Adequate specifications are necessary for everything that touches the flight hardware 

Flight hardware configuration and inventory control must be strictly maintained 

Appropriate launch commit criteria are essential 

Red line protection is essential in achieving mission success 

If you are not able to identify root cause and implement corrective action, anticipate recurrence sometime in the future 

Management Processes 

Seek to develop strong government/industry partnerships with a culture of continuous improvement 

Utilize the best combination of engineering resources including government and industry, expecially for failure analysis 

Pay attention to suppliers and sub-tier vendors with visible visits from management 

Seek to assure situational awareness, good communications, adequate resources, and a clear understanding of accepted risk 

When problems arise enable collection and assessment of pertinent data to make informed decisions 

Expect unexpected events, unusual events require unique responses and diligence in implementing a recovery process 


SUMMARY - EVOLVING TO FUTURE LAUNCH SYSTEMS 

The Shuttle Propulsion elements evolved to become highly reliable, flight proven systems which 
offer the opportunity for evolution to heavy lift, beyond low earth orbit, flight capability. The solid rocket 
booster and solid rocket motor can be configured in a five segment configuration developed during the 
Constellation program, currently in development testing. The Space Shuttle Main Engines exhibit the 




proven reliability from 135 flights and 35 years of ground testing, and exhibit the highest performance of 
any earth to orbit liquid rocket engine. The engine can be configured in a reusable or expendable 
configuration, with a goal of reduction in manufacturing cost for the expendable system. The External 
Tank structural efficiency can be extended to in-line launch vehicle configurations and, for a 27.5 foot 
diameter vehicle, tooling is available for manufacturing with state of the art processes. System studies 
indicate that payload to orbit can be achieved in the range of 70 to 130 metric tons. The building blocks 
for upper stages and earth departure stages are in development. The modifications to ground support 
systems are understood. This approach, adopted by the Space Launch System, toward development of 
a heavy lift system represents a cost effective approach for achieving a human exploration capability 
beyond earth orbit. 
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